Latest news with #NotPetya
Business Wire
2 days ago
- Business
- Business Wire
CyberCube and Munich Re: Joint experts publish report to advance the insurance industry's understanding of systemic cyber risks
LONDON--(BUSINESS WIRE)--CyberCube and Munich Re, both leading providers in their field of cyber risk, analytics and insurance, have published the main findings of a joint study on severe cyber accumulation events and the relative resiliency of organizations to systemic events due to effective mitigation measures. The survey gathered insights from 93 seasoned cybersecurity professionals. The results provide a nuanced view of how systemic cyber events might unfold and of the factors that drive wide variation in risk exposure across firms: Widespread Malware Risk According to the majority of responding experts, a severe malware event could infect a quarter of all systems worldwide, but they agreed in that case only 15% may be fully compromised. Experts do not see an event where more than 50% of the world's systems are completely compromised. Based on the experts' judgement, another event on the scale of WannaCry and NotPetya would not be seen as surprising. Patch management, network segmentation, and data backups are identified as the most effective mitigations that organizations have against widespread malware attacks. When done effectively, such mitigations can reduce the chance of being affected by a widespread malware attack by 50% to 80% and reduce the financial impacts from such an event by a similar amount. Cloud Risk Cybersecurity experts expect broad cloud outages to last hours to days; outages beyond 72 hours are considered unlikely but not impossible. Findings show at least a medium level of dependency on cloud services across most industries with companies' business-critical operations increasingly reliant on them. Reliance tends to decrease with increasing company size. Financial losses scale with cloud outage duration: Respondents reported that a single-day outage of their most critical Cloud Service Provider (CSP) would likely result in a financial loss equal to 1% of their yearly revenue. Variation in losses reflect differences in dependency on the cloud, based on an organization's size, sector, and contingency planning. The most effective mitigation against cloud outages is to establish a multi-region architecture with the CSPs used for critical business applications. Having multiple CSPs was not found to be effective; the option to transfer service from one CSP to another during an outage was seen as unfeasible. Cyber Experts surveyed rate Azure, AWS and Google as the best prepared to mitigate against a major cloud outage and to recover from such an event. Emerging and Systemic Risks Experts believe that new technologies will begin to affect the threat landscape at about the same pace that they are being adopted in cybersecurity practices. According to cybersecurity experts, in the near term Industrial and Consumer Internet of Things (IoT) devices pose the biggest concern. Large Language Models (LLMs) are regarded as having an impact now while Artificial General Intelligence (AGI) is seen as a greater concern in five or more years. A fundamental challenge in cyber risk modeling is the deficiency of concrete tail-risk events, such as systemic malware or multi-region cloud outages. The joint survey represents the best attempt to parameterize plausible worst-case scenarios and establish expert consensus. Its objective was to advance market understanding, particularly concerning risk mitigation strategies for systemic cyber events. The results add credibility to CyberCube's model forecasts and further improve Munich Re's internal model and accumulation risk understanding. Jon Laux, Vice President of Analytics at CyberCube, said: "By sharing the findings of our study on systemic cyber risks, we aim to provide a more nuanced view of how systemic cyber events might unfold and the factors that drive wide variation in risk exposure across firms.' Stephan Brunner, Senior Cyber Actuary at Munich Re, said: 'Our ambition is to improve the understanding of possible extreme malware and cloud events alongside the effectiveness of mitigation measures by sharing the insights of our study. In collaboration, Munich Re aims to further strengthen expertise on systemic cyber risks and advance cyber accumulation modeling." The research has contributed to a more refined understanding of the relative resiliency of organizations to systemic events and the key variables that influence an organization's ability to withstand such incidents. These findings represent an important input into CyberCube's and Munich Re's evolving view of cyber risk and help inform ongoing enhancements to their modeling approach. CyberCube has incorporated these insights into Version 6 of its risk aggregation platform, Portfolio Manager. Modeling cyber accumulation is a joint effort across the entire insurance industry. For this reason, the key findings of the survey are being published to foster dialogue in the market. This study is the third of its kind, CyberCube and Munich Re plan to conduct another study in 2026. Interested cybersecurity experts are invited to participate. Read the report summarising the full study here – Key insights into systemic cyber risk CyberCube is the leading provider of software-as-a-service cyber risk analytics to quantify cyber risk in financial terms. Driven by data and informed by insight, we have harnessed the power of artificial intelligence to supplement our multi-disciplinary team. Our clients rely on our solutions to make informed decisions about managing and transferring cyber risks. We unpack complex cyber threats into clear, actionable strategies, translating cyber risk into financial impact on businesses, markets, and society as a whole. T he CyberCube platform was established in 2015 within Symantec and now operates as a standalone company. Our models are built on an unparalleled ecosystem of data and validated by extensive model calibration, internally and externally. CyberCube is the leader in cyber risk quantification for the insurance industry, serving over 100 insurance institutions globally. The company's investors include Forgepoint Capital, HSCM Bermuda and Morgan Stanley Tactical Value. For more information, please visit or email info@ Munich Re is one of the world's leading providers of reinsurance, primary insurance and insurance-related risk solutions. Munich Re is globally active and operates in all lines of the insurance business. Since it was founded in 1880, Munich Re has been known for its unrivalled risk-related expertise and its sound financial position. Munich Re leverages its strengths to promote its clients' business interests and technological progress. Moreover, Munich Re develops covers for new risks such as rocket launches, renewable energies, cyber risks and artificial intelligence. In the 2024 financial year, Munich Re generated insurance revenue of €60.8bn and a net result of €5.7bn. The Munich Re Group employed about 44,000 people worldwide as at 31 December 2024. For more information, please visit
Yahoo
21-02-2025
- Yahoo
DARPA touts ‘formal methods' for nipping cyber disasters in the bud
Officials at the Defense Advanced Research Programs Agency have begun nudging Defense Department managers to utilize idling DARPA cybersecurity tools meant to preempt hacks and accidents in critical programs. A series of high-profile incidents in recent years has highlighted a kind of passivity among defense officials in the face of the damage caused, according to Kathleen Fisher, the director of DARPA's Information Innovation Office. Believing that systems can't stave off catastrophic cyber incidents caused by software vulnerabilities, the department often focuses instead on reactive fixes, she said. But proactive tools for building more resilient software already exist in the Pentagon's arsenal of countermeasures, she said at a demonstration day at the agency's Arlington, VA headquarters earlier this month. 'We have many critical mission systems that have these kinds of vulnerabilities in them, and the way we've learned to deal with them is after they've been attacked, after we've learned, 'OK, that's a bad one,' we then go and fix it,' Fisher said. 'We pay billions of dollars after the fact to go fix these problems.' In 2017, Russia conducted a cyberattack against Ukraine that's now known as NotPetya. While the attack targeted Ukraine's power infrastructure, it ended up spreading outside the country, affecting infrastructure and businesses across Europe, including a Danish logistics company, Maersk, which is responsible for about 20% of global container shipping. In seven minutes, the attack destroyed 50,000 of the firm's computers and nearly wiped out the active directory system tracking its container ships. The company estimated the damage at around $300 million. Seven years later, in July 2024, faulty software from security firm CrowdStrike took millions of government and private sector computers offline, delaying thousands of commercial flights and canceling medical procedures as part of the global outage. The disruption was widespread, but the root cause was determined to be an accident — a software glitch that spread through a routine update. Events like these — adversarial or accidental — have become more prevalent in recent years. And according to Fisher, they highlight troubling software vulnerabilities in critical infrastructure. In response, the Defense Department and the broader U.S. government have developed a sense of 'learned helplessness' when it comes to addressing software vulnerabilities. Over the last 10 to 15 years, DARPA has proven that a software design approach called 'formal methods' can address these vulnerabilities before they're exploited by a coding error or an attack. Rather than validate the security of software code solely by testing it after it's already written, a formal-methods approach designs software through rigorous mathematical analysis, verifying its performance before and as it's being built. Some of the tools DARPA has developed have made their way into DOD programs of record, but adoption has been limited. Now, as concerns grow about the cybersecurity of military weapon systems, the agency is trying to raise awareness in the defense acquisition community that these solutions exist and are available for use. 'We can imagine a world without these software vulnerabilities, where we can eliminate the sense of learned helplessness across DOD, where we can rapidly secure critical systems . . . and where we can create a sustainable ecosystem of formal-methods tools that are ready and off the shelf for people to use,' Fisher said. One early DARPA program to showcase the utility of formal methods was the High-Assurance Cyber Military Systems effort, or HACMS. The program ran from 2012 to 2016 and culminated with two demonstrations, the first using a small quadcopter drone and then, in 2017, using Boeing's autonomous helicopter, the Unmanned Little Bird. During the second demonstration, a red team of hackers tried unsuccessfully to infiltrate the aircraft, according to Darren Cofer, a principal fellow at Collins Aerospace, whose predecessor Rockwell Collins was a contractor on HACMS. 'In HACMS, we showed that formal methods could be used to eliminate important security vulnerabilities from embedded systems in real aircraft,' Cofer said during the DARPA demo day. The agency has since pursued several other efforts to improve the usability of formal methods for DOD platforms. One of those programs, called SafeDocs, addresses vulnerabilities in parsers – software tools that convert data into a usable format. Another effort, Assured Micro Patching or AMP, provides a way to fix software bugs without the source code and ensure that the fix itself doesn't do more damage. These tools have all transitioned to DOD programs in a limited capacity, and DARPA has several other ongoing efforts aimed at further improving formal methods. Fisher noted that because the problem hasn't been fully solved, there's a tendency for programs to hold off on adopting it. But DARPA sees potential for these technologies to be planted more widely now -- both to secure existing DOD software installed on legacy platforms and to design software for future systems. 'We have plenty of technology that's ready for prime time and we should go ahead and transition and use that technology now because it will dramatically improve the security of our systems,' she said. 'We can't afford to wait until we've solved the whole problem to use the technology that we've got now.' How quickly and broadly the Defense Department adopts these tools depends on a number of factors — including funding and prioritization within the military services. To help spread the word and address barriers to adoption, DARPA kicked off the Capstone program last year. Through a partnership with the Undersecretary of Defense for Research and Engineering and the Director of Operational Test and Evaluation, the agency is working with the services to identify platforms that could benefit from formal methods. DARPA is providing some matching funds to make the tools available and, according to program manager Steve Kuhn, expects to identify the platforms by May. Once the Capstone programs are selected, the agency will help identify and fix software vulnerabilities within them and capture lessons learned to be compiled in a best practice guide that all programs will be able to access. DARPA's hope, Kuhn said, is that the guide will help DOD program offices see how resilient software tools are being applied and offer a resource that helps with that implementation. 'Part of the strategy that we've been embarking on is really an adoption plan that brings these resilient software tools to both our defense industrial base, our partners and the services themselves,' Kuhn said. 'We're not going to fix everything, but can we really capture what it takes to bring these tools to the masses?'
WIRED
15-02-2025
- Politics
- WIRED
The Official DOGE Website Launch Was a Security Mess
Matt Burgess Andrew Couts Feb 15, 2025 6:30 AM Plus: Researchers find RedNote lacks basic security measures, surveillance ramps up around the US-Mexico border, and the UK ordering Apple to create an encryption backdoor comes under fire. Photograph: Kamran Jebreili/AP As the United States reels from the upheaval caused by Elon Musk's so-called Department of Government Efficiency (DOGE), hackers from countries the US considers hostile continue to wreak havoc from afar. New research shows that China's Salt Typhoon hacking group has expanded its targets list to include universities around the world and at least two more telecoms operating in the US. That brings the total number of US telecommunications networks breached by Salt Typhoon to at least 11. Russia's notorious Sandworm hacking unit may be best known for its attacks on Ukraine, including multiple blackouts caused by its cyberattacks and its release of the destructive NotPetya malware. However, a hacking group within Sandworm is now taking aim at targets in Western nations, including Australia, Canada, the UK, and the US, according to research released this week by Microsoft. The group, which Microsoft calls BadPilot, is known as an 'initial access operation,' breaching targets for the purpose of handing over access to those systems to other Sandworm hackers. Meanwhile, we dug into the slimy world of romance scammers who are making ill-gotten fortunes by capitalizing on the loneliness epidemic, and we dipped into the opaqueness of online advertising data that could pose a threat to US national security. Finally, we found that US funding cuts under the new Trump administration are hurting the organizations protecting children from exploitation, abuse, and human trafficking. And there's more. Each week, we round up the security and privacy news we didn't cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there. Elon Musk's DOGE finally started publishing some information about its activities on its threadbare website this week. But it wasn't the only entity publishing on the site. Two web developers, working independently, found that it is possible to push updates to the domain, which claims to be an official US government website. The website uses a database that can be edited by anyone online, the experts told 404Media. To demonstrate the insecurity, they left a couple of messages on the DOGE site: 'This is a joke of a .gov site,' one read, while the other says: 'THESE 'EXPERTS' LEFT THEIR DATABASE OPEN.' The messages stayed on the website for at least 12 hours and remained visible for some time on Friday. The DOGE website was launched in January and until this week was a single landing page containing very little information. The web experts who discovered the vulnerabilities told 404Media that the website appeared to have been 'slapped together.' The website only started being populated this week—with some figures purporting to show the size of the US government—after Musk promised his organization would be 'maximally transparent.' That transparency may have gone a step too far, however, with HuffPost reporting on Friday that the site included classified material. As well as being insecure, the DOGE website heavily leans on X, the social media platform owned by Musk. DOGE's homepage is a feed of its own X posts, but it also uses code that directs search engines to instead of a WIRED review of the site found. 'This isn't usually how things are handled, and it indicates that the X account is taking priority over the actual website itself,' one developer told WIRED. RedNote Security Flaws Come Into Focus Chinese TikTok alternative RedNote gained around 700,000 US users and courted American influencers when the ban on TikTok loomed in January. While many of those people may have only used RedNote for a few days, a new analysis from the University of Toronto's Citizen Lab has highlighted how a lack of encryption could have opened up US users to 'surveillance by any government or ISP [Internet Service Provider], and not just the Chinese government.' The analysis of RedNote found a host of network security issues in both its Android and iOS apps. RedNote fetched images and videos using HTTP connections, not the industry standard and encrypted HTTPS; some versions of the app contained a vulnerability that allows an attacker to have 'read' permissions on a phone; and it 'transmitted insufficiently encrypted device metadata.' The flaws were contained in RedNote's app and several third-party software libraries that it uses. Citizen Lab reported the issues to the companies starting in November 2024 but has not heard back from any of them. The security researchers say that the vulnerabilities could risk surveillance for all users, including those in China. 'As the Chinese government might already have mechanisms to lawfully obtain detailed data from RedNote about their users, the issues that we found also make Chinese users especially vulnerable to surveillance by non-Chinese governments,' the research says. It underscores that within China even widely used apps may not meet the same security standards as those developed outside the country. 'Applications that are popular in China often use no encryption, proprietary encryption protocols, or use TLS without certificate validation to encrypt sensitive data,' the analysis says. Military Spy Planes Increase Surveillance Flights at US-Mexico Border Over the last two weeks, US spy planes have flown at least 18 missions around the Mexico border, analysis from CNN has shown. The flights mark a 'dramatic escalation in activity,' the publication reports, and come as the Trump administration has designated drug cartels as terrorist organizations and has turned the nation's security apparatus toward deporting millions of migrants. According to CNN, various military planes, including Navy P-8s and a U-2 spy plane, were used in the operations and are capable of collecting both imagery and signals intelligence. Also this week, US Immigration and Customs Enforcement has advertised new contracts that would allow it to monitor 'negative' social media posts that people make about it. Backlash Mounts Against UK's Secret Apple Encryption Order Last month, the UK government hit Apple with a secret order demanding the company create a way to access data stored in encrypted iCloud backups. The order, called a Technical Capability Notice and issued under the UK's controversial 2016 surveillance law, was first reported by The Washington Post last week. Since then, there's been a growing backlash against the demands from the UK government, with many highlighting how a change would impact the security of millions around the world. US senator Ron Wyden and representative Andy Biggs have sent a letter to Tulsi Gabbard, the new director of national intelligence, saying the order undermines trust between the US and UK. 'If the UK does not immediately reverse this dangerous effort, we urge you to reevaluate US-UK cybersecurity arrangements and programs as well as US intelligence sharing with the UK,' the pair said, drawing comparisons to the Chinese-linked Salt Typhoon hacks of US telecom firms that utilized a surveillance 'backdoor.' Since details of the order emerged, Human Rights Watch has called it an 'alarming overreach,' while 109 civil society organizations, companies, and other groups signed an open letter saying the 'demand jeopardizes the security and privacy of millions.'
